08.18.09David Batz, Cyber Security Risk Manager, Alliant Energy

Article Viewed 4148 Times
2 Comments

Today's natural gas transmission and distribution systems depend on computer technology and supervisory control and data acquisition (SCADA) systems to operate safely and efficiently. In the United States alone, there are nearly 300,000 miles of transmission pipe and 1.2 million miles of distribution mains, 814,000 miles of service lines and about 65 million services.

The need to provide effective cyber security is similar to challenges faced by bulk electric system and local power distribution providers, except that natural gas systems transport molecules, not electrons, and are equipped with safety devices, which are, in most cases, manually operable as federally required. But all of these groups depend on communications infrastructures, computer technologies, and people to safely and efficiently transport the energy product to the end user.

Many utilities have employed a series of measures to protect the critical computer systems and networks that control the flow of energy over geographically dispersed facilities. These measures include the use of technical and administrative controls.

Technical controls often used include, but are not limited to:

• Firewalls to separate control systems from general corporate networks and the Internet
• Network intrusion-detection systems to alert operators of potential security events
• Event-logging systems to capture and maintain information regarding the operational status of control networks

Administrative controls often used include, but are not limited to:

• Overall cyber-security policy and procedures
• Change-management and change-control practices
• Disaster recovery and business continuity planning and exercises

One of the major challenges associated with providing cyber-security protection for energy system SCADA and process-control components is addressing legacy equipment.

Corporate computer equipment, such as desktop computers, is generally replaced every three to five years. In contrast, natural gas SCADA components are often designed and priced to operate for a decade or more. Legacy systems may not be able to be patched or be able to effectively communicate with systems that use current encryption techniques.

Another challenge with protecting energy systems is that, to enhance operational efficiencies, many of the energy SCADA and process-control systems have become connected to corporate business systems. Some of these connections have created a pathway for malicious computer programs or unauthorized users to potentially disrupt the transmission or distribution of natural gas, electricity or water.

The industry takes cyber-security risks seriously. One of the ways we provide protection for our control networks is through information sharing and partnerships.

Though utilities compete for customers and protect intellectual capital and proprietary methods, there is one common goal -- safe, secure and reliable delivery of natural gas to the end user. The common goal from the cyber security perspective is best achieved through information sharing by way of topical forums, professional organizations and industry trade groups.

One such industry group is the American Gas Association. The association provides two venues -- the Natural Gas Security Committee and the Technology Advisory Council -- for the exchange of cyber security-related information. This is done through monthly conference calls with the Department of Homeland Security and semi-annual security meetings held jointly with the Edison Electric Institute.

Natural gas industry operators work closely with the Department of Energy and the Department of Homeland Security regarding cyber security-targeted initiatives. As structured in the National Infrastructure Plan, DOE is the sector-specific agency for the energy sector, which includes the natural gas pipeline infrastructure, and is responsible for coordinating the overall national effort to enhance protection of critical energy infrastructure.

The DHS Transportation Security Administration has regulatory authority, through Congressional mandate, over pipeline security. Thus, cyber security is comprehensively addressed by these two federal agencies and through a myriad of activities, including, but not limited to, the DOE Roadmap to Secure Control Systems in the Energy Sector and the TSA Oil & Natural Gas Pipeline Security Guidelines.

In its work on the DOE Roadmap, the natural gas sector is represented by the Energy Sector Control Systems Working Group, a unique public-private partnership made up of government representatives, natural gas and electric utility operators and cyber-security professionals. This group works to help guide implementation of the priorities identified in the industry-led Roadmap to Secure Control Systems in the Energy Sector. The group seeks to provide a platform for pursuing innovative and practical activities that will improve the cyber security of the control systems that manage our nation's energy infrastructure. Members have outlined four objectives for their efforts:

• Help identify and implement practical, near-term activities that are high priority for the industry.
• Promote the value to the industry of achieving the goals of the Roadmap.
• Recommend critical areas for public and private investment.
• Measure progress toward Roadmap goals and milestones.

The sector is also engaged in close partnership with the Department of Homeland Security and the Transportation Security Administration in the development of the TSA Oil & Natural Gas Pipeline Security Guidelines, which provide baseline cyber security guidance for noncritical cyber assets and advanced protection guidance for critical cyber assets.

DHS has also formed the Industrial Control Systems Joint Working Group, in which the natural gas sector actively participates. The goal of the group is to continue the efforts of the Process Control System Forum to accelerate the design, development and deployment of more secure industrial control systems. The group will provide a vehicle for communicating and partnering across all Critical Infrastructure and Key Resources Sectors between federal agencies and departments, as well as private asset owner/operators of industrial control systems.

Plenty of opportunities for collaboration remain. Recently, it was announced that the Air Force has completed implementation of a new "Secure by Default" version of the Microsoft XP operation systems. This is a situation in which the government used its substantial influence as a major purchaser of systems to leverage a software vendor into providing a very specific, secure product. Use of this product has saved the government $100 million, and has reduced patch deployment times. Will this version of Windows be made available for use to protect the critical infrastructure?

We also welcome the creation of a new cyber security czar within the White House and look forward to working collaboratively for flexible, sustainable cyber security improvements. We hope the person who fills that role will work toward a partnership model with outcome-based objectives, rather than a regulatory checklist approach.

As Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils recently said, "Cyberspace won't be secured overnight off the back of one good plan. It's a marathon, not a sprint. The United States cannot succeed in securing cyberspace if it works in isolation."

Subscribe to EnergyBiz magazine today.
EnergyBiz magazine is the thought-leading, award-winning publication of the emerging power industry. This article originally appeared in the July/August 2009 issue.

We know you have something to say!

There is an immediate need for articles on the hot topics in the Power Industry! EnergyPulse, like no other publication, also provides a means for our readers to immediately interact with experts like you.

Contribute Today!

Please view our Author Guidelines and send submissions to the editor.

Reader's Comments

Date	Comment
bill payne 8.25.09	Here is a proven risk to cybersecurity. http://home.comcast.net/~bpayne37/theinvestigation/swissradio/swissradio.mp3
mohan mohan 8.26.09	with all the intentional maligned use of IT for data theft, and the number of terrorist outfits using IT for damging the economic strength of any country, the cyber security poses a grat threat to all countries accross the globe. while US has taken some steps to prevent , some holistic approch is needed at teh international level to share and work in a co=operative environ ment , a movement , which not only takes the interst of all participating nations, but also look country specific issiues and come out a common time bound road map

Do you agree or disagree with this article? Send in your own article.

Add your comments:

Please log in to leave a comment!

back to top